tls: unification of TLS priority settings

src/libknot/quic/quic.c

@@ -147,7 +147,8 @@ static ngtcp2_conn *get_conn(ngtcp2_crypto_conn_ref *conn_ref)
 static int tls_init_conn_session(knot_quic_conn_t *conn, bool server)
 {
 	int ret = knot_tls_session(&conn->tls_session, conn->quic_table->creds,
-	                           QUIC_PRIORITIES, "\x03""doq", true, server);
+	                           conn->quic_table->priority, "\x03""doq",
+	                           true, server);
 	if (ret != KNOT_EOK) {
 		return TLS_CALLBACK_ERR;
 	}

src/libknot/quic/quic_conn.c

@@ -29,6 +29,7 @@
 #include "libdnssec/random.h"
 #include "libknot/attribute.h"
 #include "libknot/error.h"
+#include "libknot/quic/tls_common.h"
 #include "libknot/quic/quic.h"
 #include "libknot/xdp/tcp_iobuf.h"
 #include "libknot/wire.h"
@@ -61,9 +62,17 @@ knot_quic_table_t *knot_quic_table_new(size_t max_conns, size_t max_ibufs, size_
 	res->obufs_max = max_obufs;
 	res->udp_payload_limit = udp_payload;
 
+	int ret = gnutls_priority_init2(&res->priority, KNOT_TLS_PRIORITIES, NULL,
+	                                GNUTLS_PRIORITY_INIT_DEF_APPEND);
+	if (ret != GNUTLS_E_SUCCESS) {
+		free(res);
+		return NULL;
+	}
+
 	res->expiry_heap = malloc(sizeof(struct heap));
 	if (res->expiry_heap == NULL || !heap_init(res->expiry_heap, cmp_expiry_heap_nodes, 0)) {
 		free(res->expiry_heap);
+		gnutls_priority_deinit(res->priority);
 		free(res);
 		return NULL;
 	}
@@ -92,6 +101,7 @@ void knot_quic_table_free(knot_quic_table_t *table)
 		assert(table->ibufs_size == 0);
 		assert(table->obufs_size == 0);
 
+		gnutls_priority_deinit(table->priority);
 		heap_deinit(table->expiry_heap);
 		free(table->expiry_heap);
 		free(table);

src/libknot/quic/quic_conn.h

@@ -33,6 +33,7 @@
 
 #define MAX_STREAMS_PER_CONN 10 // this limits the number of un-finished streams per conn (i.e. if response has been recvd with FIN, it doesn't count)
 
+struct gnutls_priority_st;
 struct ngtcp2_cid; // declaration taken from wherever in ngtcp2
 struct knot_creds;
 struct knot_quic_reply;
@@ -120,6 +121,7 @@ typedef struct knot_quic_table {
 	const char *qlog_dir;
 	uint64_t hash_secret[4];
 	struct knot_creds *creds;
+	struct gnutls_priority_st *priority;
 	struct heap *expiry_heap;
 	knot_quic_cid_t *conns[];
 } knot_quic_table_t;

src/libknot/quic/tls.c

@@ -30,11 +30,6 @@
 #include "libknot/error.h"
 #include "libknot/quic/tls_common.h"
 
-// TODO re-consider those detailed
-#define TLS_DEFAULT_VERSION "-VERS-ALL:+VERS-TLS1.3"
-#define TLS_DEFAULT_GROUPS  "-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1"
-#define TLS_PRIORITIES      "%DISABLE_TLS13_COMPAT_MODE:NORMAL:"TLS_DEFAULT_VERSION":"TLS_DEFAULT_GROUPS
-
 _public_
 knot_tls_ctx_t *knot_tls_ctx_new(struct knot_creds *creds, unsigned io_timeout,
                                  unsigned hs_timeout, bool server)
@@ -49,13 +44,21 @@ knot_tls_ctx_t *knot_tls_ctx_new(struct knot_creds *creds, unsigned io_timeout,
 	res->io_timeout = io_timeout;
 	res->server = server;
 
+	int ret = gnutls_priority_init2(&res->priority, KNOT_TLS_PRIORITIES, NULL,
+	                                GNUTLS_PRIORITY_INIT_DEF_APPEND);
+	if (ret != GNUTLS_E_SUCCESS) {
+		free(res);
+		return NULL;
+	}
+
 	return res;
 }
 
 _public_
 void knot_tls_ctx_free(knot_tls_ctx_t *ctx)
 {
 	if (ctx != NULL) {
+		gnutls_priority_deinit(ctx->priority);
 		free(ctx);
 	}
 }
@@ -70,7 +73,7 @@ knot_tls_conn_t *knot_tls_conn_new(knot_tls_ctx_t *ctx, int sock_fd)
 	res->ctx = ctx;
 	res->fd = sock_fd;
 
-	int ret = knot_tls_session(&res->session, ctx->creds, TLS_PRIORITIES,
+	int ret = knot_tls_session(&res->session, ctx->creds, ctx->priority,
 	                           "\x03""dot", false, ctx->server);
 	if (ret != KNOT_EOK) {
 		goto fail;

src/libknot/quic/tls.h

@@ -29,8 +29,11 @@
 #include <stdint.h>
 #include <sys/types.h>
 
+struct gnutls_priority_st;
+
 typedef struct knot_tls_ctx {
 	struct knot_creds *creds;
+	struct gnutls_priority_st *priority;
 	unsigned handshake_timeout;
 	unsigned io_timeout;
 	bool server;

src/libknot/quic/tls_common.c

@@ -356,7 +356,7 @@ void knot_creds_free(struct knot_creds *creds)
 _public_
 int knot_tls_session(struct gnutls_session_int **session,
                      struct knot_creds *creds,
-                     const char *priority,
+                     struct gnutls_priority_st *priority,
                      const char *alpn,
                      bool early_data,
                      bool server)
@@ -377,7 +377,7 @@ int knot_tls_session(struct gnutls_session_int **session,
 	if (ret == GNUTLS_E_SUCCESS) {
 		gnutls_certificate_send_x509_rdn_sequence(*session, 1);
 		gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUEST);
-		ret = gnutls_priority_set_direct(*session, priority, NULL);
+		ret = gnutls_priority_set(*session, priority);
 	}
 	if (server && ret == GNUTLS_E_SUCCESS) {
 		ret = gnutls_session_ticket_enable_server(*session, &creds->tls_ticket_key);

src/libknot/quic/tls_common.h

@@ -29,8 +29,12 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#define KNOT_TLS_PIN_LEN	32
+#define KNOT_TLS_PIN_LEN    32
+#define KNOT_TLS_PRIORITIES "-VERS-ALL:+VERS-TLS1.3:" \
+                            "-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:" \
+                                       "+GROUP-SECP384R1:+GROUP-SECP521R1"
 
+struct gnutls_priority_st;
 struct gnutls_session_int;
 struct gnutls_x509_crt_int;
 struct knot_creds;
@@ -98,7 +102,7 @@ void knot_creds_free(struct knot_creds *creds);
  */
 int knot_tls_session(struct gnutls_session_int **session,
                      struct knot_creds *creds,
-                     const char *priority,
+                     struct gnutls_priority_st *priority,
                      const char *alpn,
                      bool early_data,
                      bool server);

src/utils/common/netio.c

@@ -32,6 +32,7 @@
 #include "utils/common/msg.h"
 #include "utils/common/tls.h"
 #include "libknot/libknot.h"
+#include "libknot/quic/tls_common.h"
 #include "contrib/net.h"
 #include "contrib/proxyv2/proxyv2.h"
 #include "contrib/sockaddr.h"
@@ -521,8 +522,8 @@ int net_connect(net_t *net)
 #endif //LIBNGHTTP2
 			{
 				// Establish TLS connection.
-				ret = tls_ctx_setup_remote_endpoint(&net->tls, &dot_alpn, 1, NULL,
-				        net_get_remote(net));
+				ret = tls_ctx_setup_remote_endpoint(&net->tls, &dot_alpn, 1,
+				        KNOT_TLS_PRIORITIES, net_get_remote(net));
 				if (ret != 0) {
 					net_close(net);
 					return ret;
@@ -546,7 +547,7 @@ int net_connect(net_t *net)
 				return ret;
 			}
 			ret = tls_ctx_setup_remote_endpoint(&net->tls,
-			        &doq_alpn, 1, QUIC_PRIORITY, net_get_remote(net));
+			        &doq_alpn, 1, KNOT_TLS_PRIORITIES, net_get_remote(net));
 			if (ret != 0) {
 				net_close(net);
 				return ret;

src/utils/common/quic.h

@@ -35,10 +35,6 @@ void quic_params_clean(quic_params_t *params);
 
 #include "utils/common/tls.h"
 
-#define QUIC_DEFAULT_VERSION "-VERS-ALL:+VERS-TLS1.3"
-#define QUIC_DEFAULT_GROUPS  "-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1"
-#define QUIC_PRIORITY        "%DISABLE_TLS13_COMPAT_MODE:NORMAL:"QUIC_DEFAULT_VERSION":"QUIC_DEFAULT_GROUPS
-
 typedef enum {
 	CLOSED,    // Initialized
 	CONNECTED, // RTT-0

src/utils/common/tls.c

@@ -533,7 +533,8 @@ int tls_ctx_setup_remote_endpoint(tls_ctx_t *ctx, const gnutls_datum_t *alpn,
 	}
 
 	if (priority != NULL) {
-		ret = gnutls_priority_set_direct(ctx->session, priority, NULL);
+		ret = gnutls_set_default_priority_append(ctx->session, priority,
+		                                         NULL, 0);
 	} else {
 		ret = gnutls_set_default_priority(ctx->session);
 	}